Skip to content

Allow upload of CA certs for self signed certificate use #1383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 42 commits into from
Nov 8, 2025
Merged

Allow upload of CA certs for self signed certificate use #1383

merged 42 commits into from
Nov 8, 2025
+1,990 βˆ’336

Conversation

@madhav165
Copy link
Collaborator

@madhav165 madhav165 commented Nov 3, 2025
edited
Loading

✨ Feature / Enhancement PR

πŸ”— Epic / Issue

Link to the epic or parent issue:
Closes #1278, #1287, #1364

πŸš€ Summary (1-2 sentences)

Adds first-class support for self-signed TLS by allowing users to upload a custom CA certificate. The CA is wired through gateway create/update flows, health checks, and tool calls, with UI-side file validation and updated docs.

πŸ§ͺ How to Test This Feature

Quick Setup

  1. Get your CA certificate file - If your MCP server uses a self-signed certificate, you'll need the CA certificate file (usually named something like cert.pem, ca.pem, ca.crt, or rootCA.pem)

  2. Open the MCP Gateway Admin Panel - Navigate to your gateway instance and log in as an admin

Testing Steps

Step 1: Add a New Gateway with CA Certificate

  1. Go to Admin β†’ Gateways tab
  2. Click Add Gateway
  3. Fill in your server details:
    • Name: My Test Server
    • URL: https://your-mcp-server.example.com (must be HTTPS)
  4. Scroll to the CA Certificate section
  5. Drag your certificate file (.pem, .crt, .cer, or .cert) into the upload area, or click to browse
  6. You should see a green checkmark: βœ… "All certificates validated successfully!"
  7. Click Save

Step 2: Verify the Connection Works

  1. After saving, the gateway should show as "Active" or "Reachable"
  2. Go to the Tools tab
  3. You should see tools from your newly added gateway listed
  4. Try invoking one of the tools to confirm it works

Step 3: (Optional) Test Multiple Certificate Files
If you have a certificate chain (root + intermediate CAs):

  1. Select multiple certificate files when uploading
  2. The system will automatically order and combine them
  3. You'll see each file validated individually

What You Should See

βœ… Success indicators:

  • Green checkmark after upload
  • Gateway shows as connected/reachable
  • Tools are discovered from the server
  • Tool invocations work without SSL errors

❌ If something's wrong:

  • Red X with error message (check file format or size)
  • Gateway shows as unreachable (check URL or certificate)

Need Help?

If you encounter issues:

  1. Check that your certificate file is in PEM format
  2. Verify the URL matches your server's certificate CN/SAN
  3. Ensure the file is under 10MB
  4. See the full documentation at: docs/docs/manage/self-signed-certificates.md

πŸ§ͺ Checks

  • make lint passes
  • make test passes
  • CHANGELOG updated (if user-facing)
  • Documentation added (docs/docs/manage/self-signed-certificates.md)

@madhav165 madhav165 self-assigned this Nov 3, 2025
@madhav165 madhav165 marked this pull request as draft November 3, 2025 17:37
@madhav165 madhav165 force-pushed the fix-for-self-signed-cert branch from 78ca19a to 5a13b71 Compare November 5, 2025 08:30
This was linked to issues Nov 5, 2025
[Feature Request]: Add Support for Self-Signed Certificates in MCP Gateway #1364
Closed
[Bug]:https mcp servers with self signed certificate not able to add #1278
Closed
[Bug]: Unable to use sso service with corporate CA #1287
Closed
@madhav165 madhav165 marked this pull request as ready for review November 5, 2025 15:39
@madhav165 madhav165 linked an issue Nov 6, 2025 that may be closed by this pull request
[Bug]: Alembic migrations fails in docker compose setup #946
Closed
7 tasks
@madhav165 madhav165 mentioned this pull request Nov 6, 2025
Closed
7 tasks
@madhav165 @crivetimihai
testing changes
4892ef5 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Add JS for file validation
8412188 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
JS cleanup
1200852 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
linting fixes
0d68908 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Working till adding gateway
2be6f5a 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Use ca cert for tool calls
79e0c9c 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Fix health checks
c95f3ea 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Use ca_cert in update_gateway
c3eef69 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Flake8 fixes
f8cbc90 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Linting fixes
4973ad8 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Update doctest
fa1b2dd 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Add Ed25519 signing code
1fa0b35 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Add validator for public key
ea6baf6 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Add cert validation
aa87aa1 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Allow multiple uploads
035c5ac 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
linting fixes
17f6510 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
bandit fix
18eb3f8 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Fix some tests
475e99d 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Fix test
4c9ad0d 
Signed-off-by: Madhav Kandukuri <[email protected]>
madhav165 and others added 22 commits November 8, 2025 21:41
@madhav165 @crivetimihai
Fix tests
7fe0e86 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Linting fixes
96dbaef 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Fix fstring
dc87607 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
eslint fixes
7862668 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
lint-web fixes
9549ca0 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Add alembic migration
ca6aa3b 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Make signing certs optional
ce71623 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Update README
55e6b85 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Minor change to README
6cbf51b 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Update sso_provider field validator
bf295f6 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Update charts
e6086ac 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
flake8 fix
9541f56 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
flake8 fixes
8922b55 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Use Containerfile.lite in docker compose
e18163d 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
checking compose upgrade for pg 18
0f50431 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Include pg_hba.conf step in upgrade
48e3202 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
lint fix
a753f45 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Mention about Postgres upgrade in Changelog
b5dfeb4 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Minor fix to commented alembic upgrade
9aea196 
Signed-off-by: Madhav Kandukuri <[email protected]>
@madhav165 @crivetimihai
Add documentation on self signed certs
41327c6 
Signed-off-by: Madhav Kandukuri <[email protected]>
@crivetimihai
fix: resolve rebase conflicts and update plugin API calls
1daf7c2 
- Fix imports: mcpgateway.models -> mcpgateway.common.models
- Add missing ToolHookType import
- Update plugin manager API: tool_pre_invoke -> invoke_hook with ToolHookType
- Update plugin manager API: tool_post_invoke -> invoke_hook with ToolHookType
- Update HttpHeaderPayload: headers -> root parameter
- Create alembic merge migration for CA cert and observability heads
- Apply pre-commit formatting fixes (trailing whitespace, tabs, encoding pragma)

Signed-off-by: Mihai Criveti <[email protected]>
@crivetimihai
Rebase
7d439f4 
Signed-off-by: Mihai Criveti <[email protected]>
@crivetimihai crivetimihai force-pushed the fix-for-self-signed-cert branch from 7743e2a to 7d439f4 Compare November 8, 2025 22:02
@crivetimihai crivetimihai removed the request for review from kevalmahajan November 8, 2025 22:23
@crivetimihai
Coverage
a5aa466 
Signed-off-by: Mihai Criveti <[email protected]>
@crivetimihai crivetimihai merged commit 2821907 into main Nov 8, 2025
40 of 42 checks passed
@crivetimihai crivetimihai deleted the fix-for-self-signed-cert branch November 8, 2025 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai crivetimihai approved these changes

Assignees

@madhav165 madhav165

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@madhav165 @crivetimihai